The European Parliament adopted by 529 votes to 29, with 14 abstentions, a legislative resolution on the proposal for a regulation of the European Parliament and of the Council on information accompanying transfers of funds and certain crypto-assets (recast).
The European Parliament's position adopted at first reading under the ordinary legislative procedure amends the Commission's proposal as follows:
Ensuring traceability of transfers of crypto-assets
The aim of this recast is to introduce an obligation for crypto asset service providers to collect and make accessible certain information about the originator and the beneficiary of the transfers of crypto assets they operate.
In order to ensure the transmission of information throughout the payment chain or the transfer of crypto-assets chain, the Regulation provides for a system imposing the obligation on payment service providers to accompany transfers of funds with information on the payer and the payee and the obligation on crypto-asset service providers to accompany transfers of crypto-assets with information on the originator and the beneficiary.
This will ensure traceability of crypto-asset transfers in order to be able to better identify possible suspicious transactions and block them.
The introduction of this ‘travel rule’ will ensure financial transparency on exchanges in crypto-assets and will provide the EU with a solid and proportional framework that complies with the most demanding international standards on the exchange of crypto-assets, in particular the recommendations of the Financial Action Task Force (FATF), the global money laundering and terrorist financing watchdog.
This Regulation should apply to transfers of funds, in any currency, which are sent or received by a payment service provider or an intermediary payment service provider established in the Union. It should also apply to transfers of crypto-assets, including transfers of crypto-assets executed by means of crypto-ATMs, where the crypto-asset service provider, or the intermediary crypto-asset service provider, of either the originator or the beneficiary has its registered office in the Union.
This Regulation should not apply to a transfer of crypto-assets if any of the following conditions is met: (a) both the originator and the beneficiary are crypto-asset service providers acting on their own behalf; (b) the transfer constitutes a person-to-person transfer of crypto-assets carried out without the involvement of a crypto-asset service provider.
Self-hosted address
There will be specific requirements for crypto-asset transfers between crypto-asset service providers and un-hosted wallets.
The requirements set out in the Regulation should apply to all transfers including transfers of crypto-assets to or from a self-hosted address, as long as there is a crypto-asset service provider involved.
In the case of a transfer to or from a self-hosted address, the crypto-asset service provider should collect the information on both the originator and the beneficiary, usually from its client. A crypto-asset service provider should in principle not be required to verify the information on the user of the self-hosted address. Nonetheless, in the case of a transfer of an amount exceeding EUR 1 000 that is sent or received on behalf of a client of a crypto-asset service provider to or from a self-hosted address, that crypto-asset service provider should verify whether that self-hosted address is effectively owned or controlled by that client.
The Commission should assess, no later than 18 months after the date of application of the Regulation, the need for additional specific measures to mitigate the risks posed by transfers to or from self-hosted addresses or to or from entities not established in the Union, including the introduction of possible restrictions, and should assess the effectiveness and proportionality of the mechanisms used to verify the accuracy of information concerning the ownership of self-hosted addresses.
Obligations on intermediary crypto-asset service providers
Intermediary crypto-asset service providers should:
- ensure that all the information received on the originator and the beneficiary that accompanies a transfer of crypto-assets is transmitted with the transfer and that records of such information are retained and made available on request to the competent authorities;
- implement effective procedures, including, where appropriate, monitoring after or during the transfers, in order to detect whether the information on the originator or the beneficiary has been submitted previously, simultaneously or concurrently with the transfer or batch file transfer of crypto-assets, including where the transfer is made to or from a self-hosted address;
- establish effective risk-based procedures, including procedures based on the risk-sensitive basis, for determining whether to execute, reject, return or suspend a transfer of crypto-assets lacking the required information on the originator and the beneficiary and for taking the appropriate follow up action.
Policies, procedures and internal controls to ensure the implementation of restrictive measures
Payment service providers and crypto-asset service providers should have policies, procedures and internal controls to ensure the implementation of EU and national restrictive measures when transferring funds and crypto-assets under the Regulation.
Data protection
Regarding data protection, it is expected that the general data protection regulation (GDPR) remains applicable to transfers of funds, and that no separate data protection rules will be set up.
The European Data Protection Board should, after consulting EBA, issue guidelines on the practical implementation of data protection requirements for transfers of personal data to third countries in the context of transfers of crypto-assets. EBA should issue guidelines on suitable procedures for determining whether to execute, reject, return or suspend a transfer of crypto-assets in situations where compliance with data protection requirements for the transfer of personal data to third countries cannot be ensured.